﻿<?php 

//Please start the session.. xD
session_start();

/*
 * PARENT INFORMER: Joseph Betansos, Carl Dizon, Karlo Garcia,
 *                  Aljero Jimenez, Ronaldo Sales
 * @date: 2/25/2011
 *
 * @verify.php: This PHP document is used by index.php and
 *              logerr_atmpt.php to pass values related to
 *              user login. The scripts below verify the username
 *              and password inputted in index.php or logerr_atmpt.php.
 *              The user is taken to the main page when the username and
 *              password all pass through the authentication measures
 *              set-up in this script. When not, the user is taken to
 *              logerr_atmpt.php to enter a username and its matching
 *              password.
 *
 * Status codes (For use in $_SESSION['theerrcode'];)
 *
 * CODE 0: Already logged in... xD
 * CODE 1: Username of password incorrect (regardless of type) :D
 * CODE 2: Incomplete cookies (regardless of type) :))
 * CODE 3: No username or password input (regardless of type) :p
 */
$_SESSION['theerrcode'] = 0;

// Load configuration file
require_once("../sqlconfig.php");

//Use SHA-256 Encryption :))
require_once("lib/sha256.php");

//Connect to MySQL and select the Parent Informer RCSHS database
mysql_connect($server, $sqlusr, $sqlpass) or die(mysql_error());
mysql_select_db($mydb) or die(mysql_error()); 

/*
 * This conditon tests whether there were stored cookies - 
 * which contain the username and cryptographic password of the
 * user - in the user's computer. If there is, test for cookie values
 * and compare them against the database. If the cookies passed the
 * test, redirect them to the main page. If there was no cookie, or
 * one of them is missing, then evaluate input from index.php or
 * logerr_atmpt.php depending if there were errors in user input.
 */
if(isset($_COOKIE["parentinformerprcshs"]) && isset($_COOKIE["parentinformerurcshs"])) { 
	$username = $_COOKIE["parentinformerprcshs"]; 
	$pass = $_COOKIE["parentinformerurcshs"];
	$check = mysql_query("SELECT * FROM logtbl WHERE usernm = '".$username."'") or die(mysql_error());
	while($info=mysql_fetch_array($check)) {
		if ($pass!=$info['pwrnd']) {
			header("Location: logerr_atmpt.php");
		}
		else {
			header("Location: ../main.php");
		}
	}
}
else {
/*
 * This condition checks the username and password inputted
 * by the user to access the user-specific pages of the site.
 * This checks the username and cryptographic password against
 * the website database.
 *
 * ERROR CODE 1 is assigned if username or password is not found
 * or does not match in the database.
 * ERROR CODE 2 is assigned if cookies detected were incomplete
 * (for example, the username cookie exists but the other does
 * not).
 * ERROR CODE 3 is assigned if there was no username or password
 * input in the previous page.
 */  
	if($_POST['submitbtn']) {

		// Temporarily prevent SQL injection
		$_POST['usrnm'] = mysql_real_escape_string($_POST['usrnm']);

		if(empty($_POST['usrnm']) || empty($_POST['paswrd'])) {
			$_SESSION['theerrcode'] = 3;
			header("Location: logerr_atmpt.php");
			die();
		}

		//Checks whether the username exists in the database
		$check = mysql_query("SELECT * FROM logtbl WHERE usernm = '".$_POST['usrnm']."'") or die(mysql_error());
		$check2 = mysql_num_rows($check);

		//If the username does not exist, redirect to the login attempt page
		if ($check2 == 0) {
			$_SESSION['theerrcode'] = 1;
			header("location: logerr_atmpt.php");
			die();
		}

		//Preliminary filters before password matching
		while($info = mysql_fetch_array($check)) {
			$_POST['paswrd'] = stripslashes($_POST['paswrd']);
			$info['pwrnd'] = stripslashes($info['pwrnd']);
			$_POST['paswrd'] = sha256($_POST['paswrd']);

			//If password does not match the username, redirect to the login attempt page
			if ($_POST['paswrd'] != $info['pwrnd']) {
				$_SESSION['theerrcode'] = 1;
				header("Location: logerr_atmpt.php");
				die();
			}
			else {
				/*
				 * If password matches the username, redirect them to the main page
				 * Also, set cookies to expire a day after setting them.
				 */
				$_POST['usrnm'] = stripslashes($_POST['usrnm']); 
				$hour = time() + 86400;
				setcookie("parentinformerprcshs", $_POST['usrnm'], $hour,"/"); 
				setcookie("parentinformerurcshs", $_POST['paswrd'], $hour,"/");
				unset($_SESSION['theerrcode']);
				header("Location: redir.php");
				die();
			}  
		} 
	}
	else {
		$_SESSION['theerrcode'] = 2;
		header("Location: logerr_atmpt.php");
		die(); 
	}
}
?>